Professional Documents
Culture Documents
A Guide To Implementing Cloud Services
A Guide To Implementing Cloud Services
Services
Better Practice Guide
SEPTEMBER 2012
Contents 3
1. Introduction 4
Like any new delivery model, a first step is to target low risk, low value
applications or pilots from which the organisation can measure actual
costs and benefits, gain insights and draw lessons for future
endeavours. The Strategic Direction Paper encourages agencies to
adopt public cloud-based services for public facing unclassified
government services and to undertake proof of concept studies to fully
understand the risks of cloud computing.
Agencies should develop a coordinated approach to cloud-based
services as an integral component of their ICT strategy and roadmap.
Figure 1 shows the various inputs which agencies should consider as
they develop such an approach. The following subsections offer
4
http://www.finance.gov.au/e-government/strategy-and-governance/gov2.html
Business
needs
Cloud
Organisati
Timing and
onal
triggers opportunitiecapability
s
Change
Financial
manageme
impacts and risks nt
Governanc
Security
e
1.1 Information
From an information perspective, agencies maintain the same
legislative and policy obligation to protect and manage information
across the information lifecycle regardless of where it is stored and
processed. Such obligation includes compliance with the Protective
Security Policy Framework (PSPF)5 and the Information Security Manual
5
http://www.protectivesecurity.gov.au/
1.2 Services
As part of determining which services are appropriate for the cloud,
agencies should consider the business problem or opportunity. When
evaluating which end-to-end business services are suitable for the
cloud, agencies should consider the services that:
have stable and consistent functional requirements;
6
http://www.dsd.gov.au/infosec/ism/
7
http://www.protectivesecurity.gov.au/governance/security-risk-management/Pages/Supporting-guidelines-for-
security-risk-management.aspx
8
http://www.finance.gov.au/e-government/strategy-and-governance/australian-government-architecture.html
The other cloud computing better practice guides are a useful resource
for agencies to help identify risks and determine suitable treatment
strategies. Agencies should also consider the cost to manage the
associated risks and its impact on the value proposition.
The following risk categories provide a useful start for identifying risks:
Quality does the cloud solution meet stakeholder needs;
Financial does the cloud solution provide value for money;
Organisational does the cloud solution work within the agencys
culture;
Integration can the cloud solution meet objectives without
business or technical integration difficulties;
Compliance does the cloud solution comply with agencys legal,
regulatory and policy obligations;
3.1 Functionality
Functional requirements will differ according to the type of cloud
service model:
For IaaS, requirements will relate to the provision of processing,
memory, storage and operating systems. Agencies will need to
consider:
whether operating systems licence costs will be included in the
solution or provided by the agency, and
what open source options are available.
For PaaS, requirements should specify both the development and
operating environment.
For SaaS, requirements will be similar to those of a non-cloud
solution.
3.2 Standards
Agencies will best achieve interoperability through the use of industry-
recognised open standards. While cloud-based services are not a new
technology, existing technology standards, programming interface
standards and data formats may need to be amended and new
standards implemented where necessary. For example, standards for
configuration and management of cloud-based services are still
maturing and tend to vary among CSPs.
Standards for cloud computing are evolving locally through the work of
Standards Australia and the national mirror committee of international
3.3 Performance
Performance requirements derive from the business model and from
business impact analysis. Although business will measure performance
from the users perspective, there are several factors such as client-
side processing and network delays which CSPs will be unable to
control.
Performance requirements, such as availability, reliability,
recoverability, responsiveness and throughput are generally the same
as for internal systems. Specific requirements to consider include:
availability metrics include a unit of time, e.g. downtime per month;
guaranteed maximum outages and outage durations if reliability is
critical;
how much data can be lost and the minimum acceptable time to
recover from both transient and catastrophic failures;
both average and peak response times for various types of
transactions; and
the data size for transactions, and peaks and averages from the
usage model.
3.4 Manageability
There are several requirements to consider regarding the ability to
configure and manage cloud-based services.
Agencies should note that the ICT Customisation and Bespoke
Development Policy9 applies to cloud-based services, particularly SaaS
and PaaS where customisation may reduce the financial benefit for the
agency.
Agencies should consider the following requirements:
the ability to provision resources (e.g. on-demand or self-service),
the speed of provisioning and the ability to cap resources;
the availability of reports that map to business objectives and
provide objective measurement of business performance, e.g. billed
9
http://www.finance.gov.au/e-government/strategy-and-governance/Whole-of-Government-ICT-Policies.html
3.5 Security
Security is a compulsory obligation as outlined in the PSPF and the ISM.
Agencies must determine the level of security required by undertaking
a risk assessment to determine the business impact for each
information set that is being considered for transition to a cloud
solution. The security assessment should consider:
authorisation, end-user access controls and provider access
controls;
authentication, encryption, key management;
data location and the applicability of foreign laws, data
separation/segregation, data destruction;
logging and audit;
threat management; and
physical security.
3.6 Compliance
Agencies should keep in mind their legislative and regulatory
obligations to keep data confidential or guarantee its not lost or
destroyed. Many of these will translate into specific security and
requirements, or perhaps certification requirements.
Key legislation includes Public Service Act 1999, Freedom of
Information Act 1982, Privacy Act 1988, Archives Act 1983, Evidence
Act 1995, Copyright Act 1968 and the Electronic Transactions Act 1999.
There may be other policies, strategies and frameworks that a CSP will
need to comply with. Examples include:
The Australian Governments Department of Finance and
Deregulation circulars and advice including whole of government
ICT policies, strategies, frameworks and policies, for example, use
of Internet-based Network Connections Service (IBNCS) panel for all
wide area network and internet connections, internet gateway
reduction program for all internet gateways;
agency-specific procurement policies; and
agency-specific security policies.
For smaller initiatives, this guide provides a tailored version of the ICT
Business Case Template as an attachment. The attachment provides
specific guidance for developing a business case where a cloud
solution is an option.
This section should also be read in conjunction with the Financial
Considerations for Government Use of Cloud Computing which provides
further advice on assessing financial risks and preparing a financial
assessment.
The business case should begin with the rationale for adopting a cloud
solution weighed against other alternatives. It should capture the
business need, how the proposed adoption of a cloud computing
solution meets that need, and how it aligns with the agencys sourcing
strategy and architecture. Where this involves a move away from
traditional investments in ICT infrastructure and to the adoption of a
cloud solution, the rationale should support a specific business need.
For each option, the business case should include an analysis of the
cost model with identified costs, benefits, pricing model, contractual
adjustments, variation to contracts, and any changes in budgetary
appropriation types. The level of detail provided for each option should
be commensurate with its level of investment and risk.
Agencies must also put in place the internal capability and resources
need to manage the cloud service on a daily basis. Ongoing operational
activities include:
3.5 Prepare an exit strategy which considers business continuity, disposition of data
and exit costs
3.6 Determine contractual terms prior to engaging the market
3.7 Approach the market, ensuring compliance with CPRs and agency CEIs
3.8 Select a provider, verifying claims on costs, architecture, reputation and capability
4 Confirm the benefits to ensure cloud solution provides the value and benefits
expected in the business case
4 Capture lessons learned and apply to future cloud-based services
1. Executive summary
1.1 Summary of Options
Use the executive summary to provide a brief description of the current
situation and the proposed response through deployment of a cloud
computing solution. Provide a summary of the available options
including initial cost estimates, proposed savings and the strengths
and weaknesses of each option. Consider using a table format similar
to the one below:
Option One: Option name
Brief Description: Include a one line description of the option
Vendor: Name of the proposed cloud computing vendor
Total Cost: $XX million
Total Savings: $XX million
Option Lifespan: N years
Strengths Weaknesses Recommendation
2 Current Situation
This section sets out the issue/opportunity that proposal seeks to
address. Provide an overview of the current situation, setting the
context for the agency, business, stakeholder situation, technical
environment and current risks.
The section must describe any gaps that the project must address to
meet the Critical Success Factors and performance indicators. Gaps
may be specific elements or more general service levels related to
current levels of interoperability, security and efficiency.
The purpose of this step is to clarify your ICT environment as it stands
and any shortfalls. It is not useful to revisit past developments and
events at this point. High level environment and architecture diagrams
can be helpful, but keep in mind the audience for the document when
thinking about the degree of technical detail to include.
3 Proposed Response
Having identified why the business case is being developed, the
proposed response section outlines what is being proposed to be done
in response. This is about identifying the desired end state or
destination, rather than the detail how to get there.
Include a description of the proposed response with any evidence that
this will be an effective response to the current situation. This section
should focus on what is being proposed as a response, rather than
how that response can be delivered.
3.4 Benefits
Provide a statement of the benefits that the project will achieve and
indicative timing for when they will be realised. Include information on
how benefits will be measured and the expected targets to be achieved
for each measure.
Include interim and longer term benefits, and include any identified
negative implications (which might be fluctuations in user-pay
provisions of the contract, penalties for breaches of service level
standards by the CSP, etc).
4 Proposal Summary
A summary of the information provided about the current situation, the
proposed intervention using cloud solution options and the expected
benefits.
A high level visual representation of the cloud solution might be
helpful.
5 Solution Options
5.1 Design Criteria
Include where possible the high level requirements that any viable
cloud computing solution will be expected to deliver against. Note the
high-level business requirements that the solution must address.
Consider areas such as:
changes in business practices;
transitional considerations;
security considerations;
dependencies across ICT platforms and architecture;
reliability, availability and maintainability;
usability, flexibility, scalability, interoperability;
speed to deploy; and
major external interfaces.
6 Options Analysis
Summarise the most significant features of each option. Present a
tabular comparison of the options against costs, savings, contract
flexibility, implementation timeframe, design requirements listed above
and risk. Note any preferences in a Conclusions line.
The table below presents a possible presentation.
Requirement Option 1 Option 2 Option 3 Option N
Benefits
Disadvantages
Total costs
Total savings
Flexibility of the
contract
Estimated
implementation
timeframe
Requirement 1
Requirement 2
Requirement N
Implementation
risks
Conclusion
7 Implementation Approach
Having identified the problem to be solved and the options to be
explored in response, this section of the business case is about
confirming the agencys capability and capacity to deliver the preferred
cloud solution.
Describe the implementation approach for delivering the cloud
solution, including the approach to market, the project/program
management governance structures and other key control and
assurance processes, describing variations for each identified option if
different.
Make note of any changes that will occur in the organisations culture
that will support the deployment of the cloud solution
It may also be appropriate to provide a visual representation of the
implementation through a roadmap, illustrating how the vision,
implementation strategy and delivery strategy interrelate leading to
the adoption of the solution.
8 Agency Capability
The purpose of this section of the business case is to provide agency
decision makers and stakeholders with sufficient context to inform any
decision it might make based on the agencys organisational capability.
Identify targeted capability areas in project management,
procurement/contract management, relationship management and
service management which will have to be addressed. Identify required
skill sets and determine which will need to be procured or developed
in-house. Propose a high-level approach to mature capability in
targeted areas. Include any costs in the business case.
The government has adopted the Portfolio, Programme and Project
Management Maturity Model (P3M3) as the common methodology for
assessing organisational capability. The model can help agencies
identify capability areas which will need to be addressed.
10 Risks
A high level risk analysis should be undertaken to identify the key risks
and the potential mitigating actions associated with cloud computing
options. Risks should be ranked according to the agencys established
risk management procedures. Refer to the DoFR Better Practice Guide
on Risk Management11 for more detailed guidance.
The following table provides some examples of risks and mitigating
responses:
Key strategic risk Risk Mitigating action
rating*
Business practices are not well Agency to conduct business processing mapping and
understood prior to seeking analysis to identify business processes that will be
cloud-based services via a efficiently managed through cloud computing solutions.
vendor.
Commercial arrangements for Agency to seek advice from their procurement area on
cloud-based services are not the nature of commercial arrangements associated with
well understood by the agency. contracts with cloud vendors.
Business services with Agencies to undertake scoping work to identify business
medium/high level risks are services carrying low risk and potentially the most
potentially identified for a cloud feasible services to transition to a cloud solution.
solution.
Business continuity failure as a Agency to determine capability of CSPs during the
result of vendor with low commercial assessment of the tender evaluation.
capability.
Security & information Agency to determine the physical location of data
assurance failures. storage under a cloud arrangement and to seek
security/information assurance guarantees from cloud
vendor.
Only those services carrying low security risks should
be in scope of provision via a cloud computing vendor.
* Risks are rated according to the agencys established risk management procedures.
Repeat this section of the business case for each option, including the
following subsections:
Description
Stakeholder Impact
Costs
Savings
Benefit
Summary Cost Benefit Analysis
Risk
Timeframe